X11 Pentesting Tips

I’ve had to do a fair bit of X11 testing recently and needed to dust off a few cobwebs as it’s not something I come across that often. I guess there will be others in the same boat or those that haven’t come across it at all.

First up are remote xdmp services listening on UDP port 177. These can be easily connected to and used from within your current X11 session by using Xephyr or Xnest which is a lot less fiddly than starting up a new X instance, e.g.

$ Xephyr -query -geometry 1024x786 :1

Open X11 services are easily identified with a service scan in nmap

6001/tcp open X11 X.Org (open)

You firstly might want to list all of the open windows and get their IDs:

$ xlsclients -al -display
Window 0x200010:
 Machine: Myhost
 Name: xterm
 Icon Name: xterm
 Command: xterm
 Instance/Class: xterm/XTerm

With an open X11 service we usually do something like take a screen shot using xwd:

$ xwd --display –out file.xwd
$ convert file.xwd file.jpeg 
$ xv file.jpeg

We can also use xwatchwin to watch Windows remotely, so to watch the xterm listed above:

$ xwatchwin -w 0x200010

Sometimes you might find that the screen is locked or black, sending a keyboard or mouse event to the remote server may wake it up. I’ve a small hacky perl script that will move the mouse pointer, this can be handy for waking up the remote display or changing focus.

$ ./xtest.pl -d -m
Currently focused Window: 0x0
X-shift: -100
Y-shift: -100
Currently focused Window: 0x200010

xtest.pl will also display basic information, take screenshots, change windows, list windows and kill pesky windows between you and that open shell, it’s over on github.

xtest.pl 0.2 usage:

 -d <displayname> Uses $DISPLAY or :0.0 if none specified
 -k <windowid> In hex to kill
 -l List windows
 -f <windowid> In hex to focus input on
 -i Server information
 -m Move the mouse pointer
 -s <tofilename> Take screen capture using xwd

Sending key strokes is a great way to take advantage of an open X11 session, and all to often people don’t seem to do this, if there is a terminal sitting there on the desktop send yourself a shell!

We can use the virtual keyboard xvkbd for this, click on the xvkbd down the bottom left and connect to remote display. Once connected type slowly to avoid errors, it might be an idea to check up on what you are typing by taking a screen shot or using xwatchwin.


The focus mode on xvkbd will move the mouse on the remote display and auto clicking can be set up but this is rather fiddily. A better option is to install the xdotool application, this lets you easily move the mouse and send clicks/mousedown events and monitor the current mouse location, handy for opening menus up etc. The following example right clicks to open a context menu, we then take a screenshot to see where the pointer is and move relative to its current position and click again top open the option we are now over.

~ $ export DISPLAY=remote:0
~ $ xdotool click 3
~ $ xdotool getmouselocation
x:210 y:98 screen:0 window:0
~ $ xdotool mousemove_relative 10 50
~ $ xdotool click 3

We can also watch for events such as keystrokes in the remote session using xsnoop or the likes, which might be handy if someone is using the session but all to often its a forgotten session with no-one there:

$ ./xsnoop
ssh somehost

Plenty of fun to be had with an open X11 session, it’s not just screen shots and event sniffing as I’ve seen suggested in others reports and posts!


2 thoughts on “X11 Pentesting Tips

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s